Managing Alerts

Start course

This course explores Microsoft Cloud App Security, including what it is, what it offers, and how it's configured. You'll learn about Cloud Discovery and how to configure Microsoft Cloud App Security. You’ll learn about access policies, policy templates, and how to manage OAuth apps, before diving into Cloud App Security log uploads.

We'll also look at app connectors and at the Cloud App Catalog before moving on to the Cloud App Security dashboard and ways to manage alerts. Finally, we'll cover data management reports.

Learning Objectives

  • Get a solid understanding of Microsoft Cloud App Security including what it is, what it offers, and how it's configured
  • Learn how to set up access policies and access templates
  • Learn how to manage OAuth apps and Cloud App Security uploads
  • Understand how app connectors and the Cloud App Catalog add security to your apps
  • Learn about Cloud App Security dashboard, how to manage alerts, and how to generate management reports

Intended Audience

This course is intended for those who wish to learn how to use Cloud App Security in Microsoft 365.


To get the most out of this course, you should already have some basic knowledge of Microsoft 365.


Hello, and welcome to Managing Alerts. Let’s talk a little bit about alerting in Cloud App Security.

As is the case in most environments and in most monitoring apps, alerts help you better-understand your environment. Cloud app alerts, more specifically, help you understand your cloud environment. For example, you might notice an admin sign-on from a country that your organization has no presence in. In such a case, that would be a concerning development. So what you could do to protect against this type of threat is create a policy that automatically suspends an admin account if it’s used to sign in from that location.

You essentially want to use alerts to understand what changes need to be made to your policies. To do this from the alerts page in Cloud App Security, you can view alerts with an Open resolution status.

The image on your screen shows an example.

This part of the cloud app security dashboard allows you to see suspicious activity or violations of any policies you’ve established. 

Alerts can be filtered by Alert type or by Severity. This allows you to focus on the most important alerts first. When you click on an alert, you’ll be presented with actions that can be taken, depending on the type of alert it is.

You can also filter alerts based on the app that generated them.

When investigating alerts, you’ll encounter a few different types of violations that you’ll have to deal with. They include serious violations, questionable violations, and authorized violations or anomalous behavior.

Serious violations typically require an immediate response. For example, if you see a suspicious activity alert, it’s probably a good idea to suspend the account in question until the user changes their password.

Questionable violations will typically need to be investigated before taking any action. For example, if you see something questionable regarding a specific user, you might want to communicate with the manager of the user to discuss the activity you are seeing. Once you’ve completed your investigation, you can close the activity alert.

Authorized violations or anomalous behavior might be caused by legitimate usage. If you are certain that a particular violation is authorized, you can just dismiss the alert.

Now, regardless of what type of alert it is that you are dismissing, you should always provide some commentary regarding why the alert is being dismissed. This is useful because the Cloud App Security team uses this feedback to tune the machine learning models for future alerts. 

If you find that a legitimate action generated a particular alert, it’s considered a benign positive or a false positive. A benign positive alert is an accurate alert, but the activity that generated it is considered legitimate. These types of alerts can be dismissed – and when you dismiss them, set the reason to either Actual severity is lower or Not interesting. A false positive alert is inaccurate. When you encounter a false positive alert, you should dismiss it and set the reason to Alert is not accurate.

Now, if you can’t determine whether or not an alert is legit due to too much noise, you should dismiss it and set the reason to Too many similar alerts.

A true positive alert is an alert that’s related to an actual risky event. Such an alert will turn up when a risky event is committed. Such events can be malicious or unintentional in nature – and they can be committed by an insider or outsider. Once you’ve take the necessary actions to remediate such events, you should set the event to Resolved.

There are all kinds of alerts that can be triggered – and there are many ways to resolve them. For example, an Activity Policy Violation is a type of alert that is generated when a policy you’ve created has been violated. You can use the Policy center to mitigate these types of alerts. You can fine-tune your policies with filters and more granular controls to ensure “noise” is filtered out. However, if your underlying policy is already tuned and you feel it’s accurate, such alerts are considered legit – and should be remediated. While you CAN remediate these types of alerts manually, you should also think about adding automatic remediation in the policy itself.

Other alert types that you’ll often find yourself dealing with are File Policy Violations, Compromised Accounts, Inactive Accounts, and many others.

The URL on your screen will take you to the complete table of Alert Types: 

About the Author
Learning Paths

Tom is a 25+ year veteran of the IT industry, having worked in environments as large as 40k seats and as small as 50 seats. Throughout the course of a long an interesting career, he has built an in-depth skillset that spans numerous IT disciplines. Tom has designed and architected small, large, and global IT solutions.

In addition to the Cloud Platform and Infrastructure MCSE certification, Tom also carries several other Microsoft certifications. His ability to see things from a strategic perspective allows Tom to architect solutions that closely align with business needs.

In his spare time, Tom enjoys camping, fishing, and playing poker.